Releases: erlang/otp
OTP 29.0.2
Patch Package: OTP 29.0.2
Git Tag: OTP-29.0.2
Date: 2026-06-10
Trouble Report Id: OTP-20057, OTP-20149, OTP-20150, OTP-20151,
OTP-20153, OTP-20154, OTP-20155, OTP-20156,
OTP-20160, OTP-20161, OTP-20162, OTP-20163,
OTP-20165, OTP-20166, OTP-20170, OTP-20172,
OTP-20174, OTP-20178, OTP-20181
Seq num: CVE-2026-48855, CVE-2026-48856,
CVE-2026-48858, CVE-2026-48859,
CVE-2026-48860, CVE-2026-49759,
CVE-2026-49760, GH-11104, GH-11105, GH-11152,
GH-SA-24cv-hwgr-37fq, GH-SA-3w6p-vwhf-wvp4,
GH-SA-6f4f-chj5-5g97, GH-SA-gp7x-mfv6-52cv,
GH-SA-m75x-4vwg-ggjh, GH-SA-pv7g-pjrq-x2fh,
GH-SA-xcxj-5pg2-v72j, PR-11141, PR-11145,
PR-11146, PR-11148, PR-11154, PR-11157,
PR-11168, PR-11181, PR-11186, PR-11192,
PR-11193, PR-11195, PR-11199, PR-11205,
PR-11212, PR-1234, PR-27384
System: OTP
Release: 29
Application: dialyzer-6.0.1, diameter-2.7.1,
erl_interface-5.8.1, erts-17.0.2, ftp-1.2.6,
inets-9.7.1, kernel-11.0.2, mnesia-4.26.1,
public_key-1.21.2, ssh-6.0.1, ssl-11.7.2,
stdlib-8.0.1, tools-4.2.1
Predecessor: OTP 29.0.1
Check out the git tag OTP-29.0.2, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.
dialyzer-6.0.1
The dialyzer-6.0.1 application can be applied independently of other applications on a full OTP 29 installation.
Fixed Bugs and Malfunctions
-
Fix native record bugs in Dialyzer
Own Id: OTP-20178
Related Id(s): [PR-11199]
Full runtime dependencies of dialyzer-6.0.1
compiler-10.0, erts-12.0, kernel-8.0, stdlib-5.0, syntax_tools-2.0
diameter-2.7.1
The diameter-2.7.1 application can be applied independently of other applications on a full OTP 29 installation.
Fixed Bugs and Malfunctions
-
Fixed return value documentation of
diameter:service_info(SvcName, statistics)Own Id: OTP-20150
Related Id(s): [GH-11105], [PR-11146]
Full runtime dependencies of diameter-2.7.1
erts-10.0, kernel-3.2, ssl-9.0, stdlib-5.0
erl_interface-5.8.1
The erl_interface-5.8.1 application can be applied independently of other applications on a full OTP 29 installation.
Fixed Bugs and Malfunctions
-
Fixed stack overflow in
ei_s_print_termfor very big integer terms (> 2000 hexadecimal digits long).Own Id: OTP-20160
Related Id(s): [GH-SA-xcxj-5pg2-v72j], [PR-11193], [CVE-2026-49760]
erts-17.0.2
The erts-17.0.2 application can be applied independently of other applications on a full OTP 29 installation.
Fixed Bugs and Malfunctions
-
A buffer overflow error when parsing SCTP ERROR or ABORT chunks has been fixed.
This could lead to stack corruption and VM crash, but ultimately with hard work by an attacker be refined into maybe even remote code execution.
Own Id: OTP-20165
Related Id(s): [GH-SA-6f4f-chj5-5g97], [PR-1234], [CVE-2026-49759]
Full runtime dependencies of erts-17.0.2
kernel-9.0, sasl-3.3, stdlib-4.1
ftp-1.2.6
The ftp-1.2.6 application can be applied independently of other applications on a full OTP 29 installation.
Fixed Bugs and Malfunctions
-
FTP client default connections that use the so called passive mode of FTP fails to properly validating the response IP of the server, hence a malicious or compromised FTP server could redirect the data connection to an arbitrary host, enabling s server-side request forgery (SSRF) and FTP bounce attacks.
Own Id: OTP-20166
Related Id(s): [GH-SA-24cv-hwgr-37fq], [PR-11186], CVE-2026-48858
Full runtime dependencies of ftp-1.2.6
erts-7.0, kernel-6.0, runtime_tools-1.15.1, ssl-10.2, stdlib-3.5
inets-9.7.1
The inets-9.7.1 application can be applied independently of other applications on a full OTP 29 installation.
Fixed Bugs and Malfunctions
-
The HTTP client (httpc) now removes Authorization, Proxy-Authorization, Cookie, Referer, and Origin headers when following a redirect to a different host or port. Previously these headers were forwarded verbatim, potentially leaking credentials to unintended targets.
This follows the requirements of RFC 9110 §15.4.
Own Id: OTP-20155
Related Id(s): [GH-SA-m75x-4vwg-ggjh], [PR-11212], CVE-2026-48856
Full runtime dependencies of inets-9.7.1
erts-14.0, kernel-9.0, mnesia-4.12, public_key-1.13, runtime_tools-1.8.14, ssl-9.0, stdlib-5.0, stdlib-6.0
kernel-11.0.2
The kernel-11.0.2 application can be applied independently of other applications on a full OTP 29 installation.
Fixed Bugs and Malfunctions
-
gen_tcp_socket accept should explicitly inherit the same options as plain gen_tcp.
Own Id: OTP-20057
Full runtime dependencies of kernel-11.0.2
crypto-5.8, erts-17.0, sasl-3.0, stdlib-8.0
mnesia-4.26.1
The mnesia-4.26.1 application can be applied independently of other applications on a full OTP 29 installation.
Fixed Bugs and Malfunctions
-
Fixed docs of
mnesia:write/3to clarify when a transaction can terminate.Own Id: OTP-20149
Related Id(s): [GH-11104], [PR-11145]
Full runtime dependencies of mnesia-4.26.1
erts-9.0, kernel-5.3, stdlib-5.0
public_key-1.21.2
The public_key-1.21.2 application can be applied independently of other applications on a full OTP 29 installation.
Fixed Bugs and Malfunctions
-
Add missing macro reference for legacy algorithms md5 and sha224. This mainly improves error handling.
Own Id: OTP-20172
Related Id(s): [PR-11195]
Full runtime dependencies of public_key-1.21.2
asn1-5.0, crypto-5.8, erts-13.0, kernel-8.0, stdlib-4.0
ssh-6.0.1
The ssh-6.0.1 application can be applied independently of other applications on a full OTP 29 installation.
Fixed Bugs and Malfunctions
-
Fixed a timing-based username enumeration vulnerability during password authentication with the user_passwords option. A dummy PBKDF2 computation is now performed for invalid usernames to match the response time of valid ones.
Own Id: OTP-20153
Related Id(s): [GH-SA-3w6p-vwhf-wvp4], [PR-11157], [CVE-2026-48859] -
Fixed SSH_FXP_READLINK handler in ssh_sftpd to strip the backend root prefix from symlink targets before returning them to the client, preventing disclosure of the server's absolute filesystem path when the root option is configured.
Own Id: OTP-20162
Related Id(s): [GH-SA-pv7g-pjrq-x2fh], [PR-11192], CVE-2026-48855 -
Fixed a race condition where SSH keep-alive responses could consume pending channel open requests, causing channel setup to fail silently.
Own Id: OTP-20181
Related Id(s): [PR-11205]
Full runtime dependencies of ssh-6.0.1
crypto-5.7, erts-14.0, kernel-10.3, public_key-1.6.1, runtime_tools-1.15.1, stdlib-8.0
ssl-11.7.2
Note! The ssl-11.7.2 application cannot be applied independently of other applications on an arbitrary OTP 29 installation.
On a full OTP 29 installation, also the following runtime
dependency has to be satisfied:
-- public_key-1.21.1 (first satisfied in OTP 29.0.1)
Fixed Bugs and Malfunctions
-
Fix miscellanies issues that could cause unnecessary memory consumption and in some less common scenarios or configurations cause connection failures.
Own Id: OTP-20154
Related Id(s): [PR-11148] -
Erlang distribution over TLS run with the kernel 'check_ip' flag now properly enforce connecting nodes to be on the same LAN.
Own Id: OTP-20156
Related Id(s): [GH-SA-gp7x-mfv6-52cv], [PR-11181], [CVE-2026-48860] -
Enhance error message, by fixing typo of atom in new error message related to `public_key` CVE-2026-42790 solution.
Own Id: OTP-20161
Related Id(s): [PR-11148] -
Corrected SNI handling for TLS-1.3 only server, could cause connection failures if supported signature algorithms where changed by SNI option update.
Own Id: OTP-20174
Related Id(s): [PR-27384]
Full runtime dependencies of ssl-11.7.2
crypto-5.8, erts-16.0, inets-5.10.7, kernel-10.3, public_key-1.21.1, runtime_tools-1.15.1, stdlib-7.0
stdlib-8.0.1
The stdlib-8.0.1 application can be applied independently of other applications on a full OTP 29 installation.
Fixed Bugs and Malfunctions
-
Fix a bug where a tuple record operation within a native record anonymous update can crash.
Own Id: OTP-20151
Related Id(s): [PR-11141] -
Fixed some bugs in
io_lib:bformat/2and native record printing.Own Id: OTP-20170
Related Id(s): [PR-11154]
Full runtime dependencies of stdlib-8.0.1
compiler-5.0, crypto-4.5, erts-16.0.3, kernel-11.0, sasl-3.0, syntax_tools-3.2.1
tools-4.2.1
The tools-4.2.1 application can be applied independently of other applications on a full OTP 29 installation.
Fixed Bugs and Malfunctions
-
Xref could crash instead of returning an appropriate error tuple when asked to open a BEAM file without debug information but with a
moduledoc(false)attribute.Own Id: OTP-20163
Related Id(s): [GH-11152], [PR-11168]
Full runtime dependencies of tools-4.2.1
compiler-8.5, crypto-5.9, erts-15.0, kernel-10.0, public_key-1.21, runtime_tools-2.1, stdlib-6.0
Thanks to
John Downey, Jonatan Männchen
OTP 28.5.0.2
Patch Package: OTP 28.5.0.2
Git Tag: OTP-28.5.0.2
Date: 2026-06-10
Trouble Report Id: OTP-19631, OTP-20057, OTP-20149, OTP-20150,
OTP-20152, OTP-20154, OTP-20155, OTP-20156,
OTP-20160, OTP-20161, OTP-20162, OTP-20165,
OTP-20166, OTP-20172, OTP-20174
Seq num: CVE-2026-48855, CVE-2026-48856,
CVE-2026-48858, CVE-2026-48860,
CVE-2026-49759, CVE-2026-49760, GH-11093,
GH-11104, GH-11105, GH-SA-24cv-hwgr-37fq,
GH-SA-6f4f-chj5-5g97, GH-SA-gp7x-mfv6-52cv,
GH-SA-m75x-4vwg-ggjh, GH-SA-pv7g-pjrq-x2fh,
GH-SA-xcxj-5pg2-v72j, PR-11096, PR-11115,
PR-11145, PR-11146, PR-11148, PR-11181,
PR-11186, PR-11192, PR-11193, PR-11195,
PR-11212, PR-1234, PR-27384
System: OTP
Release: 28
Application: dialyzer-5.4.0.1, diameter-2.6.1.1,
erl_interface-5.7.0.1, erts-16.4.0.2,
ftp-1.2.4.1, inets-9.6.2.2, kernel-10.6.3.2,
mnesia-4.25.3.1, public_key-1.20.3.2,
ssh-5.5.2.1, ssl-11.6.0.2
Predecessor: OTP 28.5.0.1
Check out the git tag OTP-28.5.0.2, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.
dialyzer-5.4.0.1
The dialyzer-5.4.0.1 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
Fix Dialyzer crash with overriding built-in types
Full runtime dependencies of dialyzer-5.4.0.1
compiler-8.0, erts-12.0, kernel-8.0, stdlib-5.0, syntax_tools-2.0
diameter-2.6.1.1
The diameter-2.6.1.1 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
Fixed return value documentation of
diameter:service_info(SvcName, statistics)
Full runtime dependencies of diameter-2.6.1.1
erts-10.0, kernel-3.2, ssl-9.0, stdlib-5.0
erl_interface-5.7.0.1
The erl_interface-5.7.0.1 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
Fixed stack overflow in
ei_s_print_termfor very big integer terms (> 2000 hexadecimal digits long).Own Id: OTP-20160
Related Id(s): GH-SA-xcxj-5pg2-v72j, [PR-11193], CVE-2026-49760
erts-16.4.0.2
The erts-16.4.0.2 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
Fixed bug in
ets:member/2forset,bagandduplicate_bag. The bug could (maybe) lead toets:memberspuriously returning false for a value which is actually a member for a table that faces high insert load.Own Id: OTP-20152
Related Id(s): PR-11115 -
A buffer overflow error when parsing SCTP ERROR or ABORT chunks has been fixed.
This could lead to stack corruption and VM crash, but ultimately with hard work by an attacker be refined into maybe even remote code execution.
Own Id: OTP-20165
Related Id(s): GH-SA-6f4f-chj5-5g97, [PR-1234], CVE-2026-49759
Full runtime dependencies of erts-16.4.0.2
kernel-9.0, sasl-3.3, stdlib-4.1
ftp-1.2.4.1
The ftp-1.2.4.1 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
FTP client default connections that use the so called passive mode of FTP fails to properly validating the response IP of the server, hence a malicious or compromised FTP server could redirect the data connection to an arbitrary host, enabling s server-side request forgery (SSRF) and FTP bounce attacks.
Own Id: OTP-20166
Related Id(s): GH-SA-24cv-hwgr-37fq, [PR-11186], CVE-2026-48858
Full runtime dependencies of ftp-1.2.4.1
erts-7.0, kernel-6.0, runtime_tools-1.15.1, ssl-10.2, stdlib-3.5
inets-9.6.2.2
The inets-9.6.2.2 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
The HTTP client (httpc) now removes Authorization, Proxy-Authorization, Cookie, Referer, and Origin headers when following a redirect to a different host or port. Previously these headers were forwarded verbatim, potentially leaking credentials to unintended targets.
This follows the requirements of RFC 9110 §15.4.
Own Id: OTP-20155
Related Id(s): GH-SA-m75x-4vwg-ggjh, [PR-11212], CVE-2026-48856
Full runtime dependencies of inets-9.6.2.2
erts-14.0, kernel-9.0, mnesia-4.12, public_key-1.13, runtime_tools-1.8.14, ssl-9.0, stdlib-5.0, stdlib-6.0
kernel-10.6.3.2
The kernel-10.6.3.2 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
gen_tcp_socket accept should explicitly inherit the same options as plain gen_tcp.
Own Id: OTP-20057
Full runtime dependencies of kernel-10.6.3.2
crypto-5.0, erts-15.2.5, sasl-3.0, stdlib-7.0
mnesia-4.25.3.1
The mnesia-4.25.3.1 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
Fixed docs of
mnesia:write/3to clarify when a transaction can terminate.
Full runtime dependencies of mnesia-4.25.3.1
erts-9.0, kernel-5.3, stdlib-5.0
public_key-1.20.3.2
Note! The public_key-1.20.3.2 application cannot be applied independently of other applications on an arbitrary OTP 28 installation.
On a full OTP 28 installation, also the following runtime
dependency has to be satisfied:
-- crypto-5.8 (first satisfied in OTP 28.3)
Fixed Bugs and Malfunctions
-
Add missing macro reference for legacy algorithms md5 and sha224. This mainly improves error handling.
Own Id: OTP-20172
Related Id(s): [PR-11195]
Full runtime dependencies of public_key-1.20.3.2
asn1-5.0, crypto-5.8, erts-13.0, kernel-8.0, stdlib-4.0
ssh-5.5.2.1
Note! The ssh-5.5.2.1 application cannot be applied independently of other applications on an arbitrary OTP 28 installation.
On a full OTP 28 installation, also the following runtime
dependency has to be satisfied:
-- crypto-5.7 (first satisfied in OTP 28.1)
Fixed Bugs and Malfunctions
-
Fixed SSH_FXP_READLINK handler in ssh_sftpd to strip the backend root prefix from symlink targets before returning them to the client, preventing disclosure of the server's absolute filesystem path when the root option is configured.
Own Id: OTP-20162
Related Id(s): GH-SA-pv7g-pjrq-x2fh, [PR-11192], CVE-2026-48855
Full runtime dependencies of ssh-5.5.2.1
crypto-5.7, erts-14.0, kernel-10.3, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0, stdlib-6.0
ssl-11.6.0.2
Note! The ssl-11.6.0.2 application cannot be applied independently of other applications on an arbitrary OTP 28 installation.
On a full OTP 28 installation, also the following runtime
dependencies have to be satisfied:
-- crypto-5.8 (first satisfied in OTP 28.3)
-- public_key-1.20.3.1 (first satisfied in OTP 28.5.0.1)
Fixed Bugs and Malfunctions
-
Fix miscellanies issues that could cause unnecessary memory consumption and in some less common scenarios or configurations cause connection failures.
Own Id: OTP-20154
Related Id(s): [PR-11148] -
Erlang distribution over TLS run with the kernel 'check_ip' flag now properly enforce connecting nodes to be on the same LAN.
Own Id: OTP-20156
Related Id(s): GH-SA-gp7x-mfv6-52cv, [PR-11181], CVE-2026-48860 -
Enhance error message, by fixing typo of atom in new error message related to `public_key` CVE-2026-42790 solution.
Own Id: OTP-20161
Related Id(s): [PR-11148] -
Corrected SNI handling for TLS-1.3 only server, could cause connection failures if supported signature algorithms where changed by SNI option update.
Own Id: OTP-20174
Related Id(s): [PR-27384]
Full runtime dependencies of ssl-11.6.0.2
crypto-5.8, erts-16.0, inets-5.10.7, kernel-10.3, public_key-1.20.3.1, runtime_tools-1.15.1, stdlib-7.0
Thanks to
John Downey, Jonatan Männchen, Maria Scott
OTP 27.3.4.13
=== OTP-27.3.4.13 === Changed Applications: - dialyzer-5.3.1.1 - diameter-2.4.1.2 - erl_interface-5.5.2.1 - erts-15.2.7.9 - ftp-1.2.3.1 - inets-9.3.2.6 - mnesia-4.23.5.3 - ssh-5.2.11.8 - ssl-11.2.12.9 Unchanged Applications: - asn1-5.3.4.2 - common_test-1.27.7 - compiler-8.6.1.5 - crypto-5.5.3.2 - debugger-5.5.0.1 - edoc-1.3.2 - eldap-1.2.14.1 - et-1.7.1 - eunit-2.9.1 - jinterface-1.14.1 - kernel-10.2.7.4 - megaco-4.7.2.1 - observer-2.17 - odbc-2.15 - os_mon-2.10.1 - parsetools-2.6 - public_key-1.17.1.3 - reltool-1.0.1 - runtime_tools-2.1.1 - sasl-4.2.2.1 - snmp-5.18.2 - stdlib-6.2.2.3 - syntax_tools-3.2.2.2 - tftp-1.2.2.1 - tools-4.1.1 - wx-2.4.3.1 - xmerl-2.1.3.3
OTP 29.0.1
Patch Package: OTP 29.0.1
Git Tag: OTP-29.0.1
Date: 2026-05-27
Trouble Report Id: OTP-20112, OTP-20129, OTP-20130, OTP-20134,
OTP-20138, OTP-20139, OTP-20140, OTP-20141,
OTP-20146
Seq num: CVE-2026-42789, CVE-2026-42790, ERIERL-1321,
GH-11088, PR-11007, PR-11089, PR-11100,
PR-11107, PR-11123, PR-11124, PR-11125,
PR-11135, PR-11136
System: OTP
Release: 29
Application: compiler-10.0.1, erts-17.0.1, kernel-11.0.1,
public_key-1.21.1, snmp-5.20.4, ssl-11.7.1
Predecessor: OTP 29.0
Check out the git tag OTP-29.0.1, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.
POTENTIAL INCOMPATIBILITIES
-
'public_key', Adhere to RFC 9525, and remove support for legacy fallback to check hostname against subject common name. Also improve error handling creating two separate errors for name constraint check for subject names and subject alternative names.
'ssl'. Error handling is slightly changed to better reflect public_key behaviour.
Own Id: OTP-20130
Application(s): public_key, ssl
Related Id(s): PR-11124, CVE-2026-42790
compiler-10.0.1
The compiler-10.0.1 application can be applied independently of other applications on a full OTP 29 installation.
Fixed Bugs and Malfunctions
-
In rare circumstances, optimization of boolean expressions could invert the boolean value.
-
The compiler could crash when compiling code using native records in certain ways.
Own Id: OTP-20146
Related Id(s): PR-11135
Full runtime dependencies of compiler-10.0.1
crypto-5.1, erts-13.0, kernel-8.4, stdlib-8.0
erts-17.0.1
The erts-17.0.1 application can be applied independently of other applications on a full OTP 29 installation.
Fixed Bugs and Malfunctions
-
Comparison of two native records could return an incorrect result or crash the runtime system.
Own Id: OTP-20139
Related Id(s): PR-11107
Full runtime dependencies of erts-17.0.1
kernel-9.0, sasl-3.3, stdlib-4.1
kernel-11.0.1
The kernel-11.0.1 application can be applied independently of other applications on a full OTP 29 installation.
Fixed Bugs and Malfunctions
-
SCTP peeloff of an IPv6 socket, the peeled-off socket does not inherit the parent options as expected.
Own Id: OTP-20134
Related Id(s): PR-11007
Full runtime dependencies of kernel-11.0.1
crypto-5.8, erts-17.0, sasl-3.0, stdlib-8.0
public_key-1.21.1
The public_key-1.21.1 application can be applied independently of other applications on a full OTP 29 installation.
Fixed Bugs and Malfunctions
-
OCSP responder certificates are now checked for expiration before being accepted as authorized responders. Previously, expired or not-yet-valid responder certificates were incorrectly accepted when verifying OCSP responses.
Own Id: OTP-20112
Related Id(s): PR-11136 -
Corrected basic constraint path validation check in accordance to RFC 5280.
Own Id: OTP-20129
Related Id(s): PR-11123, CVE-2026-42789 -
'public_key', Adhere to RFC 9525, and remove support for legacy fallback to check hostname against subject common name. Also improve error handling creating two separate errors for name constraint check for subject names and subject alternative names.
'ssl'. Error handling is slightly changed to better reflect public_key behaviour.
Own Id: OTP-20130
Related Id(s): PR-11124, CVE-2026-42790*** POTENTIAL INCOMPATIBILITY ***
Full runtime dependencies of public_key-1.21.1
asn1-5.0, crypto-5.8, erts-13.0, kernel-8.0, stdlib-4.0
snmp-5.20.4
The snmp-5.20.4 application can be applied independently of other applications on a full OTP 29 installation.
Fixed Bugs and Malfunctions
-
Fixed a bug in snmpm_usm:generate_outgoing_msg/5 that caused a badmatch crash when constructing an error response for an unknown user/engineID combination.
Own Id: OTP-20138
Related Id(s): ERIERL-1321, PR-11100
Full runtime dependencies of snmp-5.20.4
asn1-5.4, crypto-4.6, erts-12.0, kernel-8.0, mnesia-4.12, runtime_tools-1.8.14, stdlib-5.0
ssl-11.7.1
Note! The ssl-11.7.1 application cannot be applied independently of other applications on an arbitrary OTP 29 installation.
On a full OTP 29 installation, also the following runtime
dependency has to be satisfied:
-- public_key-1.21.1 (first satisfied in OTP 29.0.1)
Fixed Bugs and Malfunctions
-
'public_key', Adhere to RFC 9525, and remove support for legacy fallback to check hostname against subject common name. Also improve error handling creating two separate errors for name constraint check for subject names and subject alternative names.
'ssl'. Error handling is slightly changed to better reflect public_key behaviour.
Own Id: OTP-20130
Related Id(s): PR-11124, CVE-2026-42790*** POTENTIAL INCOMPATIBILITY ***
-
Could cause server to terminate a connection without an alert towards a bad client.
Own Id: OTP-20141
Related Id(s): PR-11125
Full runtime dependencies of ssl-11.7.1
crypto-5.8, erts-16.0, inets-5.10.7, kernel-10.3, public_key-1.21.1, runtime_tools-1.15.1, stdlib-7.0
Thanks to
Martin Hässler, Paul Guyot
OTP 28.5.0.1
Patch Package: OTP 28.5.0.1
Git Tag: OTP-28.5.0.1
Date: 2026-05-27
Trouble Report Id: OTP-20112, OTP-20116, OTP-20119, OTP-20123,
OTP-20126, OTP-20128, OTP-20129, OTP-20130,
OTP-20131, OTP-20134, OTP-20138, OTP-20140,
OTP-20141
Seq num: CVE-2026-42789, CVE-2026-42790, ERIERL-1314,
ERIERL-1315, ERIERL-1321, GH-10968, GH-11030,
GH-11088, OTP-20102, PR-11007, PR-11032,
PR-11062, PR-11067, PR-11079, PR-11089,
PR-11100, PR-11123, PR-11124, PR-11125,
PR-11136
System: OTP
Release: 28
Application: compiler-9.0.6.1, erts-16.4.0.1,
inets-9.6.2.1, kernel-10.6.3.1,
public_key-1.20.3.1, snmp-5.20.2.1,
ssl-11.6.0.1, wx-2.5.4.1
Predecessor: OTP 28.5
Check out the git tag OTP-28.5.0.1, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.
POTENTIAL INCOMPATIBILITIES
-
'public_key', Adhere to RFC 9525, and remove support for legacy fallback to check hostname against subject common name. Also improve error handling creating two separate errors for name constraint check for subject names and subject alternative names.
'ssl'. Error handling is slightly changed to better reflect public_key behaviour.
Own Id: OTP-20130
Application(s): public_key, ssl
Related Id(s): PR-11124, CVE-2026-42790
compiler-9.0.6.1
The compiler-9.0.6.1 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
In rare circumstances, optimization of boolean expressions could invert the boolean value.
Full runtime dependencies of compiler-9.0.6.1
crypto-5.1, erts-13.0, kernel-8.4, stdlib-6.0
erts-16.4.0.1
The erts-16.4.0.1 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
Fixed
erlang:md5_initto always return the same deterministic context binary. Only an issue in OTP 28.5 when OTP was built with--disable-builtin-opensslor--enable-use-embedded-3pp-alternatives.Own Id: OTP-20123
-
Added explicit configure test for C++ function
std::to_charsif options--disable-builtin-ryuor--enable-use-embedded-3pp-alternativesis used.Own Id: OTP-20126
Related Id(s): PR-11067
Full runtime dependencies of erts-16.4.0.1
kernel-9.0, sasl-3.3, stdlib-4.1
inets-9.6.2.1
The inets-9.6.2.1 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
A call to httpd:reload_config/2 now validates the new configuration before removing the old one, leaving the server running in case of faulty config, instead of putting it in an unrecoverable state.
Own Id: OTP-20128
Related Id(s): ERIERL-1314, PR-11079
Full runtime dependencies of inets-9.6.2.1
erts-14.0, kernel-9.0, mnesia-4.12, public_key-1.13, runtime_tools-1.8.14, ssl-9.0, stdlib-5.0, stdlib-6.0
kernel-10.6.3.1
The kernel-10.6.3.1 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
Incorrect TOS format when using gen_udp with socket backend
Own Id: OTP-20131
Related Id(s): GH-10968, OTP-20102 -
SCTP peeloff of an IPv6 socket, the peeled-off socket does not inherit the parent options as expected.
Own Id: OTP-20134
Related Id(s): PR-11007
Full runtime dependencies of kernel-10.6.3.1
crypto-5.0, erts-15.2.5, sasl-3.0, stdlib-7.0
public_key-1.20.3.1
Note! The public_key-1.20.3.1 application cannot be applied independently of other applications on an arbitrary OTP 28 installation.
On a full OTP 28 installation, also the following runtime
dependency has to be satisfied:
-- crypto-5.8 (first satisfied in OTP 28.3)
Fixed Bugs and Malfunctions
-
OCSP responder certificates are now checked for expiration before being accepted as authorized responders. Previously, expired or not-yet-valid responder certificates were incorrectly accepted when verifying OCSP responses.
Own Id: OTP-20112
Related Id(s): PR-11136 -
Corrected basic constraint path validation check in accordance to RFC 5280.
Own Id: OTP-20129
Related Id(s): PR-11123, CVE-2026-42789 -
'public_key', Adhere to RFC 9525, and remove support for legacy fallback to check hostname against subject common name. Also improve error handling creating two separate errors for name constraint check for subject names and subject alternative names.
'ssl'. Error handling is slightly changed to better reflect public_key behaviour.
Own Id: OTP-20130
Related Id(s): PR-11124, CVE-2026-42790*** POTENTIAL INCOMPATIBILITY ***
Full runtime dependencies of public_key-1.20.3.1
asn1-5.0, crypto-5.8, erts-13.0, kernel-8.0, stdlib-4.0
snmp-5.20.2.1
The snmp-5.20.2.1 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
Fixed a bug in snmpm_usm:generate_outgoing_msg/5 that caused a badmatch crash when constructing an error response for an unknown user/engineID combination.
Own Id: OTP-20138
Related Id(s): ERIERL-1321, PR-11100
Full runtime dependencies of snmp-5.20.2.1
asn1-5.4, crypto-4.6, erts-12.0, kernel-8.0, mnesia-4.12, runtime_tools-1.8.14, stdlib-5.0
ssl-11.6.0.1
Note! The ssl-11.6.0.1 application cannot be applied independently of other applications on an arbitrary OTP 28 installation.
On a full OTP 28 installation, also the following runtime
dependencies have to be satisfied:
-- crypto-5.8 (first satisfied in OTP 28.3)
-- public_key-1.20.3.1 (first satisfied in OTP 28.5.0.1)
Fixed Bugs and Malfunctions
-
Add missing clauses to ssl_handshake:extension_value/1. If an hello extension, missing a handling clause was present in a paused handshake, the handshake would fail.
-
'public_key', Adhere to RFC 9525, and remove support for legacy fallback to check hostname against subject common name. Also improve error handling creating two separate errors for name constraint check for subject names and subject alternative names.
'ssl'. Error handling is slightly changed to better reflect public_key behaviour.
Own Id: OTP-20130
Related Id(s): PR-11124, CVE-2026-42790*** POTENTIAL INCOMPATIBILITY ***
-
Could cause server to terminate a connection without an alert towards a bad client.
Own Id: OTP-20141
Related Id(s): PR-11125
Full runtime dependencies of ssl-11.6.0.1
crypto-5.8, erts-16.0, inets-5.10.7, kernel-10.3, public_key-1.20.3.1, runtime_tools-1.15.1, stdlib-7.0
wx-2.5.4.1
The wx-2.5.4.1 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
The examples for
wxare now only installed in one place (indoc/examples).Own Id: OTP-20119
Related Id(s): ERIERL-1315, PR-11032
Full runtime dependencies of wx-2.5.4.1
erts-12.0, kernel-8.0, stdlib-5.0
Thanks to
Martin Hässler, Paul Guyot
OTP 27.3.4.12
=== OTP-27.3.4.12 === Changed Applications: - compiler-8.6.1.5 - inets-9.3.2.5 - public_key-1.17.1.3 - ssl-11.2.12.8 Unchanged Applications: - asn1-5.3.4.2 - common_test-1.27.7 - crypto-5.5.3.2 - debugger-5.5.0.1 - dialyzer-5.3.1 - diameter-2.4.1.1 - edoc-1.3.2 - eldap-1.2.14.1 - erl_interface-5.5.2 - erts-15.2.7.8 - et-1.7.1 - eunit-2.9.1 - ftp-1.2.3 - jinterface-1.14.1 - kernel-10.2.7.4 - megaco-4.7.2.1 - mnesia-4.23.5.2 - observer-2.17 - odbc-2.15 - os_mon-2.10.1 - parsetools-2.6 - reltool-1.0.1 - runtime_tools-2.1.1 - sasl-4.2.2.1 - snmp-5.18.2 - ssh-5.2.11.7 - stdlib-6.2.2.3 - syntax_tools-3.2.2.2 - tftp-1.2.2.1 - tools-4.1.1 - wx-2.4.3.1 - xmerl-2.1.3.3
OTP 26.2.5.21
=== OTP-26.2.5.21 === Changed Applications: - erts-14.2.5.15 - inets-9.1.0.7 - public_key-1.15.1.7 - ssl-11.1.4.13 Unchanged Applications: - asn1-5.2.2.1 - common_test-1.26.2.4 - compiler-8.4.3.4 - crypto-5.4.2.4 - debugger-5.3.4 - dialyzer-5.1.3.1 - diameter-2.3.2.2 - edoc-1.2.1 - eldap-1.2.12 - erl_docgen-1.5.2 - erl_interface-5.5.1 - et-1.7 - eunit-2.9 - ftp-1.2.1.1 - jinterface-1.14 - kernel-9.2.4.11 - megaco-4.5.0.1 - mnesia-4.23.1.2 - observer-2.15.1 - odbc-2.14.2 - os_mon-2.9.1 - parsetools-2.5 - reltool-1.0 - runtime_tools-2.0.1 - sasl-4.2.1 - snmp-5.15 - ssh-5.1.4.15 - stdlib-5.2.3.6 - syntax_tools-3.1.0.1 - tftp-1.1.1.1 - tools-3.6 - wx-2.4.1.1 - xmerl-1.3.34.3
OTP 29.0
Inital Release: OTP 29.0
Git Tag: OTP-29.0
Date: 2026-05-13
Trouble Report Id: OTP-16607, OTP-19587, OTP-19611, OTP-19643,
OTP-19663, OTP-19672, OTP-19695, OTP-19708,
OTP-19709, OTP-19713, OTP-19734, OTP-19744,
OTP-19747, OTP-19750, OTP-19751, OTP-19763,
OTP-19766, OTP-19783, OTP-19784, OTP-19785,
OTP-19786, OTP-19793, OTP-19800, OTP-19801,
OTP-19807, OTP-19809, OTP-19811, OTP-19815,
OTP-19822, OTP-19826, OTP-19834, OTP-19838,
OTP-19842, OTP-19853, OTP-19858, OTP-19866,
OTP-19874, OTP-19882, OTP-19887, OTP-19898,
OTP-19903, OTP-19906, OTP-19910, OTP-19912,
OTP-19917, OTP-19918, OTP-19919, OTP-19921,
OTP-19922, OTP-19925, OTP-19927, OTP-19932,
OTP-19933, OTP-19934, OTP-19935, OTP-19936,
OTP-19938, OTP-19942, OTP-19943, OTP-19949,
OTP-19956, OTP-19960, OTP-19963, OTP-19964,
OTP-19965, OTP-19966, OTP-19968, OTP-19969,
OTP-19975, OTP-19980, OTP-19982, OTP-19991,
OTP-19995, OTP-19996, OTP-19997, OTP-20001,
OTP-20002, OTP-20003, OTP-20004, OTP-20010,
OTP-20013, OTP-20015, OTP-20016, OTP-20017,
OTP-20019, OTP-20020, OTP-20023, OTP-20025,
OTP-20026, OTP-20028, OTP-20029, OTP-20030,
OTP-20031, OTP-20032, OTP-20034, OTP-20035,
OTP-20036, OTP-20045, OTP-20048, OTP-20054,
OTP-20055, OTP-20059, OTP-20061, OTP-20066,
OTP-20069, OTP-20070, OTP-20071, OTP-20072,
OTP-20073, OTP-20076, OTP-20077, OTP-20078,
OTP-20079, OTP-20080, OTP-20085, OTP-20087,
OTP-20088, OTP-20090, OTP-20092, OTP-20095,
OTP-20099, OTP-20100, OTP-20102, OTP-20103,
OTP-20111, OTP-20114, OTP-20115, OTP-20116,
OTP-20117, OTP-20119, OTP-20123, OTP-20124,
OTP-20125, OTP-20126, OTP-20127, OTP-20128,
OTP-20132, OTP-20133
Seq num: ERIERL-1314, ERIERL-1315, ERIERL-1319,
GH-10071, GH-10125, GH-10151, GH-10214,
GH-10260, GH-10341, GH-10342, GH-10345,
GH-10557, GH-10650, GH-10807, GH-10968,
GH-11030, GH-8569, GH-8841, GH-8993, GH-9822,
OTP-16608, OTP-19652, OTP-19775, OTP-19779,
OTP-19827, OTP-20106, PR-10013, PR-10033,
PR-10078, PR-10114, PR-10115, PR-10126,
PR-10134, PR-10144, PR-10145, PR-10161,
PR-10166, PR-10168, PR-10187, PR-10189,
PR-10193, PR-10195, PR-10197, PR-10202,
PR-10207, PR-10230, PR-10234, PR-10243,
PR-10253, PR-10259, PR-10269, PR-10276,
PR-10277, PR-10281, PR-10304, PR-10338,
PR-10346, PR-10348, PR-10372, PR-10382,
PR-10387, PR-10417, PR-10421, PR-10422,
PR-10426, PR-10433, PR-10449, PR-10453,
PR-10478, PR-10510, PR-10511, PR-10514,
PR-10519, PR-10524, PR-10532, PR-10549,
PR-10554, PR-10556, PR-10564, PR-10568,
PR-10571, PR-10573, PR-10578, PR-10579,
PR-10580, PR-10585, PR-10592, PR-10598,
PR-10601, PR-10614, PR-10615, PR-10617,
PR-10619, PR-10626, PR-10642, PR-10646,
PR-10647, PR-10653, PR-10656, PR-10674,
PR-10710, PR-10718, PR-10730, PR-10735,
PR-10739, PR-10753, PR-10754, PR-10755,
PR-10770, PR-10782, PR-10783, PR-10801,
PR-10804, PR-10805, PR-10808, PR-10814,
PR-10817, PR-10818, PR-10819, PR-10820,
PR-10821, PR-10824, PR-10830, PR-10836,
PR-10838, PR-10839, PR-10870, PR-10892,
PR-10894, PR-10905, PR-10910, PR-10929,
PR-10938, PR-10948, PR-10949, PR-10950,
PR-10951, PR-10958, PR-10962, PR-10965,
PR-10969, PR-10970, PR-10979, PR-10986,
PR-10993, PR-10998, PR-11000, PR-11004,
PR-11010, PR-11012, PR-11019, PR-11025,
PR-11031, PR-11032, PR-11047, PR-11059,
PR-11062, PR-11067, PR-11069, PR-11073,
PR-11078, PR-11079, PR-11080, PR-7118,
PR-7315, PR-9115, PR-9125, PR-9134, PR-9153,
PR-9209, PR-9223, PR-9315, PR-9374, PR-9475,
PR-9712, PR-9814, PR-9864, PR-9866, PR-9894,
PR-9899, PR-9934, PR-9940, PR-9984
System: OTP
Release: 29
Application: asn1-5.5, common_test-1.31, compiler-10.0,
crypto-5.9, debugger-7.0, dialyzer-6.0,
diameter-2.7, edoc-1.5, eldap-1.3,
erl_interface-5.8, erts-17.0, et-1.8,
eunit-2.11, ftp-1.2.5, inets-9.7,
jinterface-1.16, kernel-11.0, megaco-4.9,
mnesia-4.26, observer-2.19, odbc-2.17,
os_mon-2.12, parsetools-2.8, public_key-1.21,
reltool-1.1, runtime_tools-2.4, sasl-4.4,
snmp-5.20.3, ssh-6.0, ssl-11.7, stdlib-8.0,
syntax_tools-4.1, tftp-1.3, tools-4.2,
wx-2.6, xmerl-2.2
Predecessor: OTP
Check out the git tag OTP-29.0, and build a full OTP system including documentation.
HIGHLIGHTS
-
The JIT now generates better code for matching or creating binaries with multiple little-endian segments.
Own Id: OTP-19747
Application(s): erts
Related Id(s): [PR-10126] -
In the documentation for the [
compile] module, a section has been added with recommendations for implementors of languages running on the BEAM. Documentation has also been added for theto_abstr,to_exp, andfrom_abstroptions.The documentation for [erlc] now lists
.abstras one of the supported options.When compiling with the
to_abstroption, the resulting.abstrfile now retains any-docattributes present in the source code.Own Id: OTP-19784
Application(s): compiler, erts
Related Id(s): [PR-10230], [PR-10234] -
Native records as described in [EEP-79] has been implemented.
A native record is a data structure similar to the traditional tuple-based records, except that is a true data type.
Native records are considered experimental in Erlang/OTP 29 and possibly also in Erlang/OTP 30, meaning that their behavior may change, potentially requiring updates to applications that use them.
Own Id: OTP-19785
Application(s): compiler, debugger, dialyzer, erts, stdlib
Related Id(s): [PR-10617] -
The guard BIF
is_integer/3has been added. It follows the design of the original EEP-16, only changing the name fromis_betweentois_integer. This BIF takes in 3 parameters,Term,LowerBound, andUpperBound.It returns
trueifTerm,LowerBound, andUpperBoundare all integers, andLowerBound =< Term =< UpperBound; otherwise, it returns false.Example:
1> I = 42. 2> is_integer(I, 0, 100). true
Own Id: OTP-19809
Application(s): compiler, dialyzer, erts
Related Id(s): [PR-10276] -
There are new functions for random permutation of a list:
rand:shuffle/1andrand:shuffle_s/2. They are inspired by a suggestion and discussion on ErlangForums.Own Id: OTP-19826
Application(s): stdlib
Related Id(s): [PR-10281] -
In the default code path for the Erlang system, the current working directory (
.) is now in the last position instead of the first.Own Id: OTP-19842
Application(s): erts, kernel*** POTENTIAL INCOMPATIBILITY ***
-
Function application is now left associative. That means one can now write:
f(X)(Y)instead of:
(f(X))(Y)Own Id: OTP-19866
Application(s): compiler
Related Id(s): [PR-9223] -
The old-style type tests in guards (
integer,atom, and so on) have been scheduled for removal in Erlang/OTP 30. They have been deprecated for a long time.Own Id: OTP-19887
Application(s): otp
Related Id(s): [PR-10417] -
There will now be a warning when exporting variables out of a subexpression. For example:
case file:open(File, AllOpts = [write,{encoding,utf8}]) of {ok,Fd} -> {Fd,AllOpts} endTo avoid the warning, this can be rewritten to:
AllOpts = [write,{encoding,utf8}], case file:open(File, AllOpts) of {ok,Fd} -> {Fd,AllOpts} endThe warning can be suppressed by giving option
nowarn_export_var_subexprto the compiler.Own Id: OTP-19898
Application(s): compiler, stdlib
Related Id(s): [PR-9134] -
There is a new option
warn_obsolete_bool_opthat instruct the compiler to emit warnings for theandandoroperators. It is recommended to instead use the modernandalsoandorelseoperators, or,and;in guards.Own Id: OTP-19918
Application(s): compiler
Related Id(s): [PR-9115] -
`gr...
OTP 28.5
Patch Package: OTP 28.5
Git Tag: OTP-28.5
Date: 2026-04-23
Trouble Report Id: OTP-16607, OTP-19162, OTP-19967, OTP-20038,
OTP-20043, OTP-20082, OTP-20094, OTP-20098,
OTP-20101, OTP-20106
Seq num: GH-10667, GH-10812, GH-10915, GH-10967,
OTP-16608, PR-10431, PR-10881, PR-10908,
PR-10924, PR-10957, PR-10976, PR-11002,
PR-11045
System: OTP
Release: 28
Application: erl_interface-5.7, erts-16.4, mnesia-4.25.3,
ssl-11.6
Predecessor: OTP 28.4.3
Check out the git tag OTP-28.5, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.
HIGHLIGHTS
-
There is a new "Secure Coding Guidelines" document in Design Principles describing how to write secure Erlang code.
Own Id: OTP-20043
Application(s): otp
Related Id(s): PR-10431
OTP-28.5
Improvements and New Features
-
There is a new "Secure Coding Guidelines" document in Design Principles describing how to write secure Erlang code.
Own Id: OTP-20043
Related Id(s): PR-10431*** HIGHLIGHT ***
erl_interface-5.7
The erl_interface-5.7 application can be applied independently of other applications on a full OTP 28 installation.
Improvements and New Features
-
A new
configureoption--{enable,disable}-use-embedded-3pp-alternativeshas been added. When enabled,configureis forced to find alternatives, to a subset, of the embedded third-party products (3pps) in the runtime system, and when disabled,configurewill use all internal embedded 3pps. Currently this option affectszstd,zlib,ryu(withSTL),opensslandtcl. The default is to use all built-in embedded 3pps except forzlibwhich by default will usezlibon the OS if available.Requirements for alternatives:
zstd- Static library and include files of at least version 1.5.6 needs to be available.zlib- Library and include files of at least version 1.2.5 needs to be available.ryu(withSTL) - A usable C++ compiler with C++17 support.openssl- No requirements. Our own MD5 implementation will be used.tcl- Thestrerrorname_np()function (introduced in glibc 2.32) mapping errno integers to symbolic names needs to be available.
The argument
embedded_3ppshas been added toerlang:system_info/1. It returns a map with information about the use of embedded 3pps in the runtime system.Own Id: OTP-20106
Related Id(s): PR-11045
Known Bugs and Problems
-
The
eiAPI for decoding/encoding terms is not fully 64-bit compatible since terms that have a representation on the external term format larger than 2 GB cannot be handled.Own Id: OTP-16607
Related Id(s): OTP-16608
erts-16.4
The erts-16.4 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
Fixed bug in
enif_make_map_from_arraysfor arrays with at least 33 keys. If duplicate keys existed, instead of failing, it would skip the duplicates. If less than 33 unique keys existed, an internally inconsistent and broken map was returned.Own Id: OTP-20098
Related Id(s): PR-10976 -
Fixed an issue when supplying the args_file option to erl.exe on windows that did not handle unicode characters correctly.
Own Id: OTP-20101
Related Id(s): GH-10667
Improvements and New Features
-
A new
configureoption--{enable,disable}-use-embedded-3pp-alternativeshas been added. When enabled,configureis forced to find alternatives, to a subset, of the embedded third-party products (3pps) in the runtime system, and when disabled,configurewill use all internal embedded 3pps. Currently this option affectszstd,zlib,ryu(withSTL),opensslandtcl. The default is to use all built-in embedded 3pps except forzlibwhich by default will usezlibon the OS if available.Requirements for alternatives:
zstd- Static library and include files of at least version 1.5.6 needs to be available.zlib- Library and include files of at least version 1.2.5 needs to be available.ryu(withSTL) - A usable C++ compiler with C++17 support.openssl- No requirements. Our own MD5 implementation will be used.tcl- Thestrerrorname_np()function (introduced in glibc 2.32) mapping errno integers to symbolic names needs to be available.
The argument
embedded_3ppshas been added toerlang:system_info/1. It returns a map with information about the use of embedded 3pps in the runtime system.Own Id: OTP-20106
Related Id(s): PR-11045
Full runtime dependencies of erts-16.4
kernel-9.0, sasl-3.3, stdlib-4.1
mnesia-4.25.3
The mnesia-4.25.3 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
Added documentation for
user_propertiesand functionsread_table_property/2,write_table_property/2,delete_table_property. Enhanced documentation forfrag_properties. -
Fixed a bug where stacktrace was not returned from
mnesia:transaction/1when transaction aborts with an error exception.
Full runtime dependencies of mnesia-4.25.3
erts-9.0, kernel-5.3, stdlib-5.0
ssl-11.6
Note! The ssl-11.6 application cannot be applied independently of other applications on an arbitrary OTP 28 installation.
On a full OTP 28 installation, also the following runtime
dependencies have to be satisfied:
-- crypto-5.8 (first satisfied in OTP 28.3)
-- public_key-1.20.3 (first satisfied in OTP 28.4.2)
Fixed Bugs and Malfunctions
-
Preserve inet option order, as inet_backend option must be first option. Will make inet_backend option work for ssl independently of number of inet supplied options.
Own Id: OTP-19162
Related Id(s): PR-10908 -
Missing conformance check for signature algorithms in TLS-1.3 could cause selection of incompatible certificate when a server is configured with more than one possible certificate.
Improvements and New Features
-
Avoid unnecessary memory consumption for temporary processes in a supervision tree.
Own Id: OTP-19967
Related Id(s): PR-10957
Full runtime dependencies of ssl-11.6
crypto-5.8, erts-16.0, inets-5.10.7, kernel-10.3, public_key-1.20.3, runtime_tools-1.15.1, stdlib-7.0
Thanks to
felipe stival, Hewwho, Hugo Baraúna, Nick Vatamaniuc, Viktor Söderqvist, William Yang
OTP 28.4.3
Patch Package: OTP 28.4.3
Git Tag: OTP-28.4.3
Date: 2026-04-21
Trouble Report Id: OTP-20081, OTP-20086, OTP-20104
Seq num: #10968, CVE-2026-32147, PR-10985, PR-11027
System: OTP
Release: 28
Application: kernel-10.6.3, ssh-5.5.2
Predecessor: OTP 28.4.2
Check out the git tag OTP-28.4.3, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.
OTP-28.4.3
Fixed Bugs and Malfunctions
-
Fix the
otp_patch_applyscript to properly handle installation of documentation for OTP versions with more than one digit in version parts less significant than the major version.Own Id: OTP-20086
Related Id(s): PR-10985
kernel-10.6.3
The kernel-10.6.3 application can be applied independently of other applications on a full OTP 28 installation.
Fixed Bugs and Malfunctions
-
On Windows, sockets has to be bound when using 'socket'. Therefor when using gen_tcp with inet_backend = socket, gen_tcp_socket bind even if the caller has not provided an explicit bind address. In that case it attempts to locate a "proper" address on its own. But if the connect address is the loopback address, this could lead to an attempt to bind to an external interface. So, this has now been changed so that if the connect address is the loopback address, the loopback address will also be used when binding.
Own Id: OTP-20104
Related Id(s): #10968
Full runtime dependencies of kernel-10.6.3
crypto-5.0, erts-15.2.5, sasl-3.0, stdlib-7.0
ssh-5.5.2
Note! The ssh-5.5.2 application cannot be applied independently of other applications on an arbitrary OTP 28 installation.
On a full OTP 28 installation, also the following runtime
dependency has to be satisfied:
-- crypto-5.7 (first satisfied in OTP 28.1)
Fixed Bugs and Malfunctions
-
Fixed a vulnerability in the SFTP server where file attributes could be modified outside the configured root directory. When using FSETSTAT on an open file handle, the operation used the path stored in the handle without verifying it was within the root directory, allowing attribute changes to files outside the chroot boundary.
Thanks to John Downey.
Own Id: OTP-20081
Related Id(s): PR-11027, CVE-2026-32147
Full runtime dependencies of ssh-5.5.2
crypto-5.7, erts-14.0, kernel-10.3, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0, stdlib-6.0